Blog

Website Security: Maintaining a Secure Website

Website security is no longer as simple as creating one creative password. The widespread use of content management systems has allowed nontechnical individuals to create and showcase websites. This is all fine and good, but the steps leading up to launching a site still remain complex. Poor forethought into the planning and execution (creation of code) of a website can lead to major vunerabilities.

Unlike HTML-driven sites, CMS-driven sites rely on object-oriented scripting languages to operate. In the cases of ModX, Joomla, Drupal, Xoops, Typo, Radiant, Textpattern, Movable Type, and Word Press, this language is PHP. If PHP is poorly written, outsiders make take advantage of your site and hack into the system. With pure HTML, on the other hand, hackers could break in only if they determined the host username and password.

So keeping a website secure now involves much more than one password. Take Joomla, for instance. This installation runs on the latest version ofApache, PHP, and MySQL, and requires an SQL database to run. The website security of the database relies on the following:

Security of the host (i.e. Convey Media)

Vulnerability of the software (i.e. Joomla 1.5.15)

Vulnerability of the extensions (e.g. Weather)

Password strength of the username to the host (i.e. when the client or I connect to Convey Media hosting server)

Password strength of the database username (i.e. when Joomla connects to the database)

Password strength of the administrator username (i.e. when the client or Convey Media logs into Joomla)

1) I recommend that you host with us. Our provider is an accredited member of the Better Business Bureau. Their servers are located in Chicago, and their customer support reps are located in the U.S. and Canada. Their servers have Intel Dual Quad Core Xeon processors, 8GB ram, Large Raid 10 storage arrays for maximum performance & redundancy along with 100 Mbps connectivity to their switches. In addition, their servers are housed in a world class co-location data facility with raised floors, dual city power grid feeds with backup power generators. The facility boasts an FM 200 fire suppression system with early pre-fire detection mechanisms, and is staffed by administrators and security personnel 24x7x365, including biometric and key card security systems with a rack level locking mechanism.

2) Joomla 1.5.15 is the latest version available. It utilizes PHP scripts that execute on the server. What this means is that you, as an Internet surfer, cannot actually view any .php extension in its original form. The server converts the necessary data (for the end-user to read) to other formats such as HTML. The server removes the sensitive data that it itself needs to connect to the database. If you need an example of this, I can email you what a page looks like in PHP (for the server) versus what the code looks like in HTML after it has been processed (what the end-user sees). Joomla is Open-Source software, and developers worldwide contribute to its security. Convey Media follows Joomla’s Security guidelines.

3) A calendar and weather button are two examples of Joomla extensions. These add on files are checked by the Joomla community for website security breaches. All extensions are checked against the “Vulnerable Extensions List“. We will not install any extension that is on this list.

4) Password strength to a host connection is the first line of defense against an attack. A weak password can easily become breached. We require that hosting passwords (that connect you to the hosting server) be a min of eight (8) characters in length, using UPPERCASE letters, lowercase letters, alphanumeric characters and numbers. A typical
password would be W3*GhX}4lHJ2.

5) Password strength of the MySQL database username is also critical. Again, Convey Media uses a password like that shown above. This password is separate from that of the host password.

6) Each user account within Joomla is prioritized. The “super administrator” accounts that the client and Convey Media have unlimited access, while the “registered” users of the client’s members will be able to only view (not alter or delete) registered content. All generated passwords will look like the examples listed above.

Webmasters of sites developed by Convey Media can maintain its website security by updating Joomla when new versions become available, and by regularly changing all passwords and keeping passwords in a safe place.